CPSA Import Flashcards
CPSA Import
What is a passive OS fingerprinting technique
Monitoring network traffic using tools such as Wireshark for information re: the OS, also using p0f which is a tool that listens to network traffic and fingerprints OS based on characteristics of the packets
What is an active OS fingerprinting method
Using a port scanner like nmap
nmap flag to get OS details of target
-O for Operating System details
What is banner grabbing
A technique where attackers identify infrastructure details from headers, scans, etc.
How can we get application versions from a network
We can use a nmap scan with flag -sV to enable version detection
How can we get server types from banners
a cURL -I request will show the response headers which often includes a Server header, e.g: Server: Apache/2.4.41 (Ubuntu)
What is the difference between encryption and encoding
Encryption requires a secret key to be decrypted and is not reversible without it, whereas encoding means it uses a predefined scheme to convert data from one form to another with no key such as base64
What is encryption
Encryption involves using an algorithm and a key to transform plaintext into ciphertext. The process is reversible only if the correct decryption key is used
What is encoding
Encoding uses a predefined scheme to convert data from one form to another. The process is reversible without the need for a key\
What are the key factors that change between encoding and encryption
There are differences in reversiblity and levels of security
What are examples of encryption
RSA, AES
What are examples of encoding
Base64, ASCII, URL encoding
What is a hash
A hash is a cryptographic function that takes an input and returns a fixed size string of bytes, the same input will always produce the same output, known as a “digest”
What are the two most known hashes
MD5 and SHA1
Are MD5 and SHA1 considered secure
MD5 and SHA1 are considered insecure and unsuitable for most applications
Bit length of MD5
128-bit hash
What was MD5 designed for
MD5 was designed to be a cryptographic hash function used for integrity checking, digital signatures, etc
Why is MD5 considered insecure
Due to collision vulnerabilities, researchers found that MD5 is susceptible to collision attacks where two DIFFERENT inputs result in the same hash output
What is a collision vulnerability
Where two different inputs result in the same hash output
What is the real world risk of collision vulnerabilities in hashing
Being exploited in attacks such as creating malicious certificates that appear legitimate as they have the same MD5 hash as a trusted certificate
What is SHA1 bit size
160-bit hash
What was SHA1 designed for
Used to be widely used in cryptographic applications, including SSL/TLS certificates, file integrity validation
Why is SHA1 considered insecure
SHA1 is considered insecure as researchers demonstrated that two outputs can produce the same hash output
Is SHA1 considered secure
SHA1 is considered
Is SHA1 exploitable/breakable
SHA1 is breakable as the cost and time required to generate SHA1 collisions have been decreaasing, making it feasible for well-funded attackers to break SHA1
NIST advice for SHA1
NIST advices against using SHA1 in favour of stronger algorithms like SHA256 or SHA3
What is HMAC
Type of Message Authentication Code that uses a cryptographic hash function along with a secret key to provide data integrity and authenticity, the secret key is only known by the sender and the recipient
What does MAC in HMAC stand for
Message Authentication Code
What does a HMAC do
It verifies that the payload has not been tampered with, like a JWT signature being verified
What is the OSI Model
The OSI Model is a reference model that enables the communication of different technical systems via various devices and technologies and provides compatibility
What are the layers of the OSI Model (in order)
Physical, Data Link, Network, Transport, Session, Presentation, Application
What are the layers of the TCP/IP Model
Link, Internet, Transport, Application
What is Layer 3 of the OSI Model and what does it do
L3 layer is the Network layer and it is where data packets are transferred from node to node until they reach their destination
In the postal/mail example of Network, what is the IPv4/IPv6
It is the unique postal address and suburb of the receiver’s building
In the postal/mail example of Network, what is the MAC Address
It is the exact floor and apartment of the receiver
How many bit groups are in an IPv4
8 bit groups
How many binary numbers in a IPv4 Address
32
What is the number convention of each bit in the IPv4 Address (descending order)
128, 64, 32, 16, 8, 4, 2, 1
What is the Subnet Mask
Describes which bit positions within the address are the network part and the host part
Can the bits of the subnet mask reflected in an IPv4 Address ever change (255.255.0.0) can 192.168 part of 192.168.24.2 ever change, and give explanation
No, if the subnet mask is 255. that entire section of the IPv4 Address cannot change, if it is something like 192, we have to write out the 8 bit binary notation of that subnet mask (from either the CIDR or the subnet mask) and the bits with 1 can not change
Wht is CIDR
Classless Inter-Domain Routing is a method of representing the subnet mask in a suffix form
Give an example of a CIDR suffix and which parts of the IPv4 can and cannot change due to the subnet mask/CIDR suffix
/26 would be 26 (1) in the subnet mask, which is = 255.255.255.192 would be 1111 1111 . 1111 1111 . 1111 1111 . 1100 0000 so the last 6 digits can be changed, we can find the first and last IP’s of that IP subnet with this information
What is IPv6 and how many bits in length
IPv6 is the successor of IPv4 and is 128 bits in length
How many blocks is a IPv6 address
8 blocks of 16 bits each (4 hex numbers)
How can a IPv6 Address be shortened
If the entire block is 0000 we can get rid of that and replace with double colomn (::)
TCP Telnet
23
TCP SSH
22
TCP SNMP
161
TCP HTTP
80
TCP HTTPS
443
TCP DNS
53
TCP FTP
20-21
TCP TFTP
69
TCP NTP
123
TCP SMTP
25
TCP SMB
445
TCP RDP
3,389
TCP LDAP
389
TCP ICMP
0-255
23
Telnet
22
SSH
161
SNMP
80
HTTP
443
HTTPS
53 TCP
DNS
69
TFTP
123
NTP
25
SMTP
MySQL
3306
3306
MySQL
DHCP
67
67
DHCP
What is UDP
UDP is a connectionless protocol which means it does not establish a virtual connection before transmitting data, instead it sends data packets and does not check to see if they were received
What is an example of UDP
Video streaming, online gaming
What does UDP stand for
User Datagram Protocol
What is TCP
TCP is a connection-based protocol that establishes a virtual connection between two devices before transmitting data via a Three-Way handshake, as a result TCP is slower than UDP
What is the negative of TCP
It is slower than UDP due to the Three-Way Handshake
What does TCP stand for
Transmission Control Protocol
What is ICMP
ICMP is used by devices to communicate with each other on the Internet such as ping request, which tests connectivity between devices
What does ICMP stand for
Internet Control Message Protocol
What is symmetric encryption
A method that uses the same key to encrypt and decrypt the data, meaning the sender and receiver must have the same key to decrypt the data
What are examples of symmetric encryiption
AES and DES
What does AES stand for
Advanced Encryption Standard
What does DES stand for
Data Encryption Standard
What is considered to be the most secure encryption algorithm nowadays
AES
What is asymmetric encryption
Is a method of encryption that uses two different keys, a public key and a private key. The public key is used to encrypt data and anyone can access it but only the recipient has the private key who can decrypt the data
What are examples of asymmetric encryption
RSA, PGP, ECC
What does RSA stand for
Rivest-Shamir-Adleman
What does PGP stand for
Pretty Good Privacy
What does ECC stand for
Elliptic Curve Cryptography
What is 3DES
3DES is an extension of DES which encrypts data more securely, the procedure for this usually consists of three keys
Which is faster AES or DES and why
AES is faster than DES due to its more efficient algorithm structure, as it can be applied to multiple data blocks at once making it faster
What does IKE stand for
Internet Key Exchange
What is Diffie-Hellman
Diffie-Hellman is a key exchange method which allows two parties to agree on a shared secret keey without any prior communication or shared private information
What is Diffie-Hellman vulnerable to
MiTM attacks where the attacker intercepts the communication and pretends to be one of the parties
What are Key Exchange Methods
Diffie-Hellman, RSA, ECDH, ECDSA
What is RSA
RSA uses the properties of large prime numbers to generate a shared secret key, relies on the fact it is easy to multiply large prime numbers but challenging to factor the result back into its prime factor
What does ECDH stand for
Elliptical Curve Diffie-Hellman
What does ECDSA stand for
Elliptic Curve Digital Signature Algorithm
What are examples of commonly used authentication protocols
TLS, SSL, OAuth, HTTPS, 2FA
What does WEP stand for
Wired Equivalent Privacy
What does WPA stand for
WiFi Protection Access
What are security features on a WiFi connection
Encryption, Access Control and Firewalls
What does WPA do
WPA provides the highest level of security by using a secure authentication method such as a pre-shared key
What is LEAP and PEAP
They are authentication protocols used to secure wireless networks to provide a secure method for authenticating devices and are used in conjunction with WEP/WPA
What does LEAP stand for
Lightweight Extensible Authentication Protocol
What does PEAP stand for
Protected Extensible Authentication Protocol
Which is more secure, LEAP or PEAP and why
PEAP is more secure as it uses a secure authentication method called TLS, whereas LEAP uses a shared key for authentication, which makes it easy to gain access if the key is compromised
What is a Disassociation Attack
It is a wireless network attack that disrupts communication between a WAP and clients by sending disassociation frames causing the client to disconnect from the network
What is IPSec
IPSec is a network security protocol providing encryption and authentication for internet communications, encrypts the dta payload of each IP packet and adding an authentication header (AH) which is used to verify the authenticity of the packet
What two security protocols does IPSec use
Authentication Header and Encapsulating Security Protocol (ESP)
What is ESP
Provides encryption and optiinal authentication for IP packets, it encrypts the data payload of each packet
Internet Key Exchange (IKE) Port
UDP 500
UDP 500
Internet Key Exchange (IKE)
What is SSL
SSL is a cryptographic protocol designed to provide secure communication over a computer network, it was the predecessor of TLS
Which is more secure SSL 3.0 or TLS 1.0
TLS 1.0
What is the standard protocol for securing communications
TLS
What is PGP
PGP is an encryption program that provides cryptographic privacy and authentication for data communication
What is PGP often used for
PGP is often used to secure emails and files encrypting them, ensuring only the intended recipient can read the contents
What is TKIP
TKIP is a security protocol used in wireless networks and was designed as a temporary solution to improve security on existing hardware that initially only supported weaker WEP encryption
What does TKIP stand for
Temporal Key Integrity Protocol
Where does TKIP rank amongst WEP and WPA
TKIP was an improvement over WEP but still not as secure as the later WPA2 which uses AES encryption
What encryption does WPA2 use
AES
Why was WEP depracated
WEP was depracated due to weak encryption, WEP’s use of RC4 cipher and poor implementation of key management makes it susceptible to a variety of attacks
What information can we find in a WHOIS query
Domain name, registrar, registrant contact, administrative contact, technical contact, creation/expiration dates, name servers, etc.
What is a whois query
It is like a phonebook for the internet
What tool can be make to query DNS information
dig
What does dig stand for
Domain Information Groper
What is DNS
DNS is like the internet’s GPS system, guiding your journey resolving domain names to precise IP addresses
What is a DNS zone
A zone is a distinct part of the domain namespace that a specific entity manages, e.g: example.com and all its subdomains would belong to the same DNS zone
What is a DNS Zone Transfer
A DNS Zone Transfer is a blueprint of all DNS records within a zone which is used to recreate in the same formatting from one name server to another
What is a DNS Zone Transfer vulnerability
If not properly secured, the Zone Transfer file can be downloaded, revealing a complete list of subdomains, their associated IP addresses and other sensitive DNS data
How to check for a DNS Zone Transfer vulnerability
dig axfr @
How to find the DNS server
dig ns
What is an A Record
It is a mapping to an IPv4 Address
What is an AAAA Record
It is a mapping to an IPv6 Address
What is a CNAME
Canonical Name, it creates an alias for a hostname, pointing it to another hostname
What is an MX Record
Mail Exchange Record, specifies the mail server(s) responsible for handling emails for the domain
What is an NS Record
Name Server Record, delegates a DNS Zone to a specific authoritative name server
What is a TXT Record
Text Record, stores arbitrary text information, often used for security policies and domain ownership verification
What is a PTR Record
Pointer Record, Used for reverse DNS lookups, mapping and IP address to a hostname
What is a SOA Record
Start of Authority Record, specifies administrative information about a DNS zone, including primary name server, responsible person’s email and other parameters